[Mimedefang] CLSID extension vulnerabilities
Michael McCarthy
m.mccarthy at psy.uq.edu.au
Wed May 22 20:40:28 EDT 2002
GFI have an interesting email security system test
(http://www.gfi.com/emailsecuritytest/) if you want to test out your
mimedefang-filter against a few of the more esoteric Windows exploits.
In particular it sends a test attachment with a CLSID extension
eg. viewthis.jpg.{73a4c9c1-d68d-11d0-98bf-00a0c90dc8d9}
Regardless of its Folder options View settings, Explorer displays the
filename as viewthis.jpg even though it could be an executable object (in
their demo it is and it creates a file on your desktop).
The point is that my mimedefang-filter didn't block this attachment. I'd
suggest modifying filter_bad_filename in the sample filter to
sub filter_bad_filename {
my($entity) = @_;
return re_match($entity,
'\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs?|vxd|wsc|wsf|wsh|\{[a-f0-9-]+\})');
}
Cheers
-
================
Michael McCarthy
IT Manager
School of Psychology
The University of Queensland
+617 3365 6687
More information about the MIMEDefang
mailing list